SSH, REQUIRES_PWCHANGE and policies problem

Andreas Ntaflos daff at pseudoterminal.org
Thu Sep 1 19:03:56 EDT 2011 

On 2011-09-02 00:42, Russ Allbery wrote:
> Andreas Ntaflos <daff at pseudoterminal.org> writes:
> 
>> However, when a policy is set, and the user's new password does not
>> conform to that policy, SSH does not inform the user of the problem, it
>> simply re-prompts for the original password and then asks for a new
>> password again. Naturally, a user will find this confusing.
> 
> pam-krb5 on Debian and Ubuntu, which presumably is what you're using,
> tries to tell the user about a password change failure by sending a
> message to the PAM conversation of type PAM_ERROR_MSG.  It sounds like for
> some reason ssh isn't accepting and displaying that message?
> 
> Could you try adding "debug" to the PAM options for the auth stack and see
> if the output in your local syslog about what pam-krb5 saw as the password
> change error is correct?  You should see something prefixed with
> krb5_change_password.  (I wonder if that should be logged at a level
> higher than debug.)

Russ, thanks for your prompt response, again!

It seems indeed that SSH gets informed that the password change failed,
but doesn't know much else. I don't see a message prefixed with
"krb5_change_password", I'm afraid.

After adding "debug" to the pam-krb5 options the server's SSH logs show
this when the user logs in and changes the password:

pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
pam_krb5(sshd:auth): (user testuser) attempting authentication as
testuser at EXAMPLE.COM
pam_krb5(sshd:auth): (user testuser) krb5_get_init_creds_password:
Password change failed
pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0
euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa
pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure)
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=xx.yy.zz.aa  user=testuser
error: PAM: Authentication failure for testuser from xx.yy.zz.aa
pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
pam_krb5(sshd:auth): (user testuser) attempting authentication as
testuser at EXAMPLE.COM

> Ah, hm.  The other possibility is that the Kerberos library may be
> handling the password change internally, in which case I'm not sure what
> its prompting behavior is on password change failure.  Actually, that's
> the most likely, since usually the Kerberos library, since it's given a
> prompter function, will just do everything internally.  Maybe it doesn't
> print out the reason for a failed password change?

I don't know anything about the Kerberos library internals but when
using the normal "passwd" program with the PAM stack described in my
previous message I indeed get informed of the policy violation:

testuser at shellserver:~$ passwd
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Server error: New password is too short.
Please choose a password which is at least 10 characters long.
passwd: Authentication token manipulation error
passwd: password unchanged

Are passwd and SSH's PAM/challenge-repsonse stuff even related?

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20110902/900627af/attachment.bin

More information about the Kerberos mailing list